The Continuous Diagnostics and Mitigation (CDM) program is designed to assess and mitigate cyber security threats across U.S. Federal civilian agencies. The program consists of four phases that address what is on the network (phase 1), who is on the network (phase 2), what is happening on the network (phase 3), and how is data protected (phase 4).
With phases 1 and 2 complete, civilian agencies now have identified the assets and users on their networks, attached continuous monitoring sensors to said assets, and aligned users’ privileges and credentials to appropriate resources. Phase 3 builds upon its predecessors and contains requirements focusing on how the network is protected. In particular, the Boundary Protection and Event Management (BOUND) tool functional area (TFA) is intended to diminish inappropriate access to data, systems and networks. The requirements contain three components: BOUND-F (filtering technology), BOUND-E (encryption), and BOUND-P (physical access protection). The BOUND requirements detail the most effective methods to protect sensitive data-at-rest and in-motion via encryption and key management.
With phases 1 and 2 complete, civilian agencies now have identified the assets and users on their networks, attached continuous monitoring sensors to said assets, and aligned users’ privileges and credentials to appropriate resources. Phase 3 built upon its predecessors and contains requirements focusing on how the network is protected. In particular, the Boundary Protection and Event Management (BOUND) tool functional area (TFA) is intended to diminish inappropriate access to data, systems and networks. The requirements contain three components: BOUND-F (filtering technology), BOUND-E (encryption), and BOUND-P (physical access protection). The BOUND requirements detail the most effective methods to protect sensitive data-at-rest and in-motion via encryption and key management. Phase 3 also addresses what is happening on the network and details event management requirements, and operate, monitor and improve requirements. This includes preparedness and response to contingencies and incidents (TFA 10 and 11) as well as the management of audit information (TFA 14).
Phase 4, focuses on data protection—the most critical component of an effective cyber security strategy. This phase introduces several capabilities that protect sensitive data “at rest, in use, and in transit, to ensure the confidentiality, integrity, and availability of data assets, and to ensure that sensitive information is subject to authorized access and use only”. It establishes protocols to identify and classify sensitive data and the location in which it resides as well as its associated data flows. Furthermore, phase 4 outlines data access controls to identify authorized users, roles, and uses.
Phase 4 Data Protection (DATA_PROT) requirements focus on applying protection to the data itself through encryption, access control and logging/monitoring. These encryption and key management requirements, many established under BOUND-E, include application encryption, file encryption, storage container encryption, and full disk encryption.
THALES TCT ENCRYPTION AND KEY MANAGEMENT SOLUTIONS FOR CDM
Thales Trusted Cyber Technologies (TCT) offers encryption and key management solutions that deliver the same level of security whether deployed in enterprise, tactical or cloud environments. Our solutions enable agencies to meet their CDM requirements while investing in a solution that provides robust security, a growing ecosystem, and the scalability needed to build a trusted framework for the future. Our solutions have a U.S. supply chain and can be deployed in any environment and easily integrate into an existing cyber security infrastructure. Thales TCT’s encryption and key management solutions have received CDM Approved Product List (CDM APL) approval to address phase 3 and phase 4 requirements.
Data Encryption and Key Management
Thales TCT’s CipherTrust Data Security Platform offers comprehensive solutions that help government agencies address these requirements. With the CipherTrust Data Security Platform, agencies can establish strong safeguards around sensitive data and minimize critical risks associated with leaving it in an unprotected state. Thales TCT’s solutions offer the controls required to ensure only authorized users can gain access to sensitive data at rest. These solutions can secure unstructured data, including documents, spreadsheets, images, web pages and more. These solutions can also secure structured data, such as fields in databases and applications that contain personally identifiable information, protected health information, mission data and other sensitive records.
With CipherTrust Data Security Platform, agencies can take a comprehensive, organization-wide approach to protecting data in support of CDM. This platform offers a number of capabilities that either comply with or exceed CDM requirements:
- Encryption and key management. CipherTrust Data Security Platform offers strong, centrally managed file encryption that is transparent to processes, applications and users. The platform also delivers capabilities for efficient, centralized key management.
- Access controls. CipherTrust Data Security Platform delivers advanced role-based access controls that integrate with the existing security structure for efficient deployments.
- Multi-tenant support. CipherTrust Data Security Platform provides secure multi-tenancy support in the data center, cloud environments, and autonomous servers, whether they’re running on Windows, Linux or UNIX. CipherTrust Data Security solution enables each distinct data owner to have unique administrative functions on the centralized management appliance. This allows data that would otherwise have to be “air gapped” on separate storage devices to be cryptographically separated on shared infrastructure.
- Privileged user controls. With CipherTrust Data Security Platform, security teams can establish granular controls that blind data at rest, even to individuals with privileged user account permissions, such as system administrators with root access and service account users. By leveraging these capabilities, agencies can establish strong defenses against insider threats.
- Security intelligence. CipherTrust Data Security Platform delivers logs that capture attempts to access protected data, providing high-value security intelligence. These logs can be used in conjunction with a security information and event management (SIEM) solution for compliance reporting.
Network Encryption Solutions
Thales TCT’s Network Encryption solutions provide agencies with a single platform to ‘encrypt everywhere’— from network traffic between data centers and the headquarters to backup and disaster recovery sites, whether on premises or in the cloud. These solutions offer powerful safeguards for data in motion, delivering network layer independent encryption capabilities that provide security without compromise, as well as maximum throughput and minimal latency.
